ORDER BY clause

Use the ORDER BY clause to sort the resulting view that is based on expression results. The result is sorted by ascending or descending order.

Note: When you type an AQL query, use single quotation marks for a string comparison, and use double quotation marks for a property value comparison.

You can use the ORDER BY clause on one or more columns.

Use the GROUP BY and ORDER BY clauses in a single query.

Sort in ascending or descending order by appending the ASC or DESC keyword to the ORDER BY clause.

Examples of ORDER BY clauses

To query AQL to return results in descending order, use the following syntax:

SELECT sourceBytes, sourceIP 
FROM flows 
WHERE sourceBytes > 1000000 
ORDER BY sourceBytes DESC

To display results in ascending order, use the following syntax:

SELECT sourceBytes, sourceIP 
FROM flows 
WHERE sourceBytes > 1000000 
ORDER BY sourceBytes ASC

To determine the top abnormal events or the most bandwidth-intensive IP addresses, you can combine GROUP BY and ORDER BY clauses in a single query. For example, the following query displays the most traffic intensive IP address in descending order:

SELECT sourceIP, SUM(sourceBytes) 
FROM flows 
GROUP BY sourceIP
ORDER BY SUM(sourceBytes) DESC

Attention:

When you use the GROUP BY clause with a column name or AQL function, only the first value is returned for the GROUP BY column, by default, even though other values might exist.

When you use a time field in the ORDER BY clause, use a simple datetime field, such as starttime. Using a formatted datetime field can impact the performance of the search.